Google generates hundreds of billions of dollars in revenue every year selling ads across the internet. It's able to do so against information about you and me that's been collected from a variety of sources - including tracking technologies like cookies. But, through its Privacy Sandbox initiative, the company wants to find new ways of collecting users' interests without tapping into their personal information. We detail how the program has made strides while struggling with controversy all along the way.
What are cookies and why should you care?
Marketers want web surfers to click on their ads and buy what they promote. To ensure a higher likelihood of success, they gather as much information on any given user as possible through tracking technologies such as cookies.
When you visit a website, it may ask you to accept cookies that track your activity on the domain to provide continuity in your experience. If you have an account with the site and have ticked that "Remember me" box, a cookie helps it do that. These tracking cookies can also come from third parties such as affiliated marketers. By being present across millions of sites, ad networks are able to collect data about your browsing habits and even your demographic information in order to present ads you might be inclined to click on.
Privacy advocates have had longstanding concerns about cookies and other tracking technologies like tracking pixels. They note that the amounts of data these trackers generate can be used to build profiles of users, a practice called "fingerprinting".
Enter the GDPR
Those concerns were just some of the motivations that led the European Union to update its policies about the movement of online data, eventually resulting in the adoption of the General Data Protection Regulation in 2016. The GDPR mandated that website owners be transparent about how they use trackers and allow visitors the option to turn off non-essential ones like those for marketing. The EU began enforcing the regulation in 2018.
What is Google Privacy Sandbox?
While simultaneously navigating the GDPR, Google has been battling antitrust rulings and has likely figured that disruption to its lucrative ads business. It, therefore, needs to shape the conversation moving forward and play a role - if not the leading one - in creating new standards not just for how much tracking happens but also what types of data gets netted.
In August 2019, the company debuted Privacy Sandbox with a subdued pair of corporate blog posts outlining its goals for limiting tracking activities in two major parts of the business: The ad selection process and the delivery of conversion metrics to the client. It also wanted to cut down on fraudulent behaviors from bad-faith ad buyers and redesign the separate but just-as-complex advertising regime with Android apps.
Google already had APIs in the works to address these issues and was looking for industry stakeholders to give input as well as proposals. From the outset, advocate groups including the Electronic Frontier Foundation were cool to some of the solutions the ads giant had to offer, saying that its measures didn't go far enough or were just outright flawed.
So, how does Google plan to replace cookies?
Old plan: FLoC
The most controversial of Google's solutions was Federated Learning of Cohorts (FLoC).
FLoC was meant to replace cookies as a way for marketers to gather intelligence about the users' interests. With FLoC, the idea is that a user, signified through a token stored locally with the web browser, would be cycled through various "cohorts" of several thousand people featuring roughly similar browsing histories. Websites log visits from the user via their cohort token. When marketers want to sell an ad to a site visitor, they ask for the cohort number the user is in and receive interests reflected by the cohort as a whole - theoretically removing fine-level details a requesting party can pick up about any given user.
The EFF called out FLoC for having the potential to brand thousands of people at a time with a profile of behaviors and have that tied to personal information via an account login. As Google tried to adapt its way through doubts on FLoC's efficacy, regulators in Europe were already signaling their worry about the program's compliance with the GDPR (via Android Police).
The British government was so concerned about Google's plans to replace cookies with FLoC that the Competition and Markets Authority compelled it to allow oversight and make other commitments regarding its plans for Privacy Sandbox. Ironically enough, the company had already pushed the timeline for integrating FLoC into Chrome multiple times before it ended up killing that idea in January 2022.
New plan: Topics
As part of its suite of APIs for addressing Privacy Sandbox's goals, it seems that Google's replacement for FLoC (which was supposed to replace cookies) is Topics, and it's undergoing testing on Chrome for desktop and laptop devices and Android devices as of press time.
Critics haven't been as loud of late - though that isn't to say they've been quiet - about Topics nor the other APIs in Privacy Sandbox. In addition, Google has been reporting quarterly to the CMA about changes to its various APIs. You can see the company's pledges as well as how the regulator is gauging them in the report for Q1 2023 here.
When does Google plan to deprecate cookies?
Google currently plans to implement the Privacy Sandbox APIs with all Chrome users starting in July 2023. In the first quarter of 2024, the company will deprecate third-party cookies for one percent of Chrome's user base. The wider population will then experience a phase-out beginning in the third quarter of that year.
Want to try the Privacy Sandbox APIs?
If you want to try the Privacy Sandbox APIs for yourself, follow these steps:
- On the desktop version of Chrome, enter chrome://settings/privacySandbox into the address and switch the toggle on the page to participate in the beta trial.
- On Android, hop into Chrome, enter the app's settings, select "Privacy and security," and then find the toggle in the "Privacy Sandbox" item.
We should note the APIs being rolled out only concern online ad processes via Chrome. Changes to advertising within Android app environments - which are a can of worms in and of themselves (and Ron Amadeo of Ars Technica argues they are pretty much ineffective) - do not have a timeline for release.